Introducing Our First Podcast Series: The Scope 3 Agenda
Learn More
New: The 6th Edition of the Business Sustainability Risk and Performance Index
View Now

Quality, Security, Privacy and Compliance


EcoVadis is committed to creating a reliable CSR rating system that is consistent over time and offers comparability so that suppliers can be benchmarked across the wide variety of sectors and countries.

EcoVadis has developed a quality management system (QMS) which is certified ISO 9001. We actively pursue ever-improving quality through a process management system that enables each employee to do their job right the first time and every time in a safe and stimulating work environment. It is supported by our tailor made and self-developed IT platform which guides employees through the whole process. We constantly put our efforts into continuously improving the processes by being advised by specialized bodies like our methodology committee.

  • Employee training program
    • Q&IS training programs for all newcomers during the onboarding period with quizzes and set pass marks to verify effectiveness plus mandatory annual refresher training for all employees followed by quizzes.
  • Corrective and preventive action
    • Continuous improvement with the identification of improvement areas to eliminate non-conformities or prevent reoccurence. One example being the use of the Quality Check Form (QCF) at each stage of the evaluation process.
  • Incident management Process
    • Customer and supplier complaints as well as internal issues are reported, recorded and managed through an Incident Management Platform. All incidents are reviewed regularly by concerned parties and resolved within a given timeframe.
  • Internal audit
    • The Internal Audit Program is set over a period of 3 years where Information Security audits are conducted twice per year and all internal processes undergo a Quality audit at least once per year. Audit results are reviewed and discussed during our biannual Management Review.
      Information Security

Information Security

EcoVadis is committed to provide the highest level of Information Security and to continuously improve in order to protect all stakeholders’ data in an evolving landscape of information security threats. For this reason, EcoVadis has established an Information Security management system (ISMS) which is certified ISO27001 and which enables us to systematically operate and maintain information security in our business processes and services and to determine and apply the necessary security measures based on our risk evaluation.

  • Encryption in transit
    • Transmitted data is encrypted and secured against eavesdropping
  • Encryption at rest
    • Data stored on EcoVadis storage is encrypted at rest
  • 24/7 Monitoring
    • Service performance, availability and real user experience are constantly monitored
  • Continuous security tests
    • Solid protection of application, network and infrastructure is provided by regular security tests and audits
  • Security Hardening
    • Systems and services are prepared in line with the best security practices and frameworks
  • Network Protection
    • Network access to internal services and servers is restricted and secured
  • Incident detection Process
    • Constant monitoring and detection of security events on services, servers and user activities
  • Resilience and Backups
    • Services provided by EcoVadis are redundant, data centers are geographically separated. Backups in place for all data.
  • Trusted partnership
    • Platforms are hosted on Microsoft Azure in the EU, one of the most trusted cloud hosting providers

The ISMS and QMS build an integrated management system allowing us to ensure the availability, integrity, confidentiality and traceability of information.

EU General Data Protection Regulation

EcoVadis believes that the GDPR is an important step to strengthen and harmonize data protection of EU citizens’ personal data. As a data controller Ecovadis is committed to comply with regulations and to put in place the best practices.

Ecovadis uses the ISO 27001 standard, for which we are certified, as a framework and integrates personal data protection aspects in its management system. We use the ISO 27701 framework to meet GDPR requirements. Our data protection practices and compliance are confirmed by a third party audit.

For the data processing performed outside of the EU, we have in place Standard Contractual Clauses (SCCs) with our subsidiaries.

We always carefully select our providers (processors) and we require the conclusion of Data Protection Agreements with processors and Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCR) in case of processing outside of the EEA region to be able to work for us. We always aim to choose subscriptions with providers  to have data hosted on servers based in Europe. We use the following major processors:

Legal EntityAddressPurposeAdditional Security Information
ZenDesk 1019 Market Street,
San Francisco, CA 94103 USA
Customer Support
SFDC 2 Henry Adams St,
San Francisco, CA 94103 USA
Microsoft Azure Microsoft Campus,
Redmond, WA 98052 USA
Hosting of the Sustainability assessment platform
Google 1600 Amphitheatre Parkway
Mountain View, CA 94043 USA
Customer communication
Selligent 20 Place des Vins de France,75012 Paris FRANCE Customer communication
Slack One Park Place,
Upper Hatch Street
Dublin 2
Customer Support
Docebo Limited
6th floor, 48
Street, London –
E-Learning platform
Pendo 150 Fayetteville St
Raleigh NC, USA
Platform analytics
Productboard 612 Howard
streetCA 94105
San Francisco CA,
Product management
Aircall 11 Rue Saint
Georges, 75009
Call recording

We are awaiting recommendations on additional measures to be issued by the French Data protection authority CNIL concerning the possibilities of transferring data to the United States based on SCCs (or BCR). Depending on their opinion, we will take further action.

Learn more in our statement of data privacy

Export Control and Sanctions Compliance

EcoVadis is committed to be in compliance with all applicable laws and regulations applicable to an operator of general purpose online services, including US and French export law, in terms of its own operating locations for the services.

Destination Restrictions

Taking into account overall business risks, Ecovadis products and services are not available for export, reexport, transfer and/or use in the following countries/regions (subject to change without notice):

  • Crimea Region
  • Cuba
  • Iran
  • North Korea
  • Syria

Additionally, transactions with or related to certain destinations that pose an elevated export control or sanctions risk are subject to enhanced due diligence requirements.

End-User Restrictions

EcoVadis products and services are not available to entities and individuals with whom transactions are prohibited under applicable export control and sanctions laws, including those listed on any applicable sanctioned party lists (e.g., European Union Sanctions List, U.S. Specially Designated National (SDN) lists, OFAC, United Nations Security Council Sanctions, local lists where EcoVadis has its presence).

End-use Restrictions

EcoVadis Services must not be used for any purposes prohibited by Applicable Export Laws, including, without limitation, for the development, design, manufacture or production of nuclear, chemical or biological weapons of mass destruction.

This web page is for general informational purposes only and does not constitute legal advice.